[Kamailio-Users] Firewall and auth

Klaus Darilion klaus.mailinglists at pernau.at
Mon Jun 15 15:55:54 CEST 2009 


Andreas Granig schrieb:
> Hi all,
> 
> I just tried a setup like
> 
> [UA] --> [pub][Firewall][priv] --> [priv][Kam]
> 
> where the Firewall maps the public IP reachable by UAs to a private IP 
> where Kamailio is listening. If I run sipsak on the Kamailio-machine, I 
> can register fine, but as soon as the request goes via Firewall, 
> authentication stops working.
> 
> So how does the IP of Kamailio actually influence authentication? Do I 
> have to set something special on Kamailio to make this work?
> 
> Here's the Register after a 401 and the resulting 401 again, and it 
> looks pretty well to me (1.2.3.4 is the public Firewall IP, which is 
> configured as outbound proxy on the UA, 172.17.10.50 is the private 
> Kamailio-IP and is also used as domain for user sipwise1, which is 
> trying to register). Trace is taken on client-side, but looks the same 
> on the Kamailio server (NAT seems to be handled fine):
> 
> U 192.168.123.150:50600 -> 1.2.3.4:5060
> REGISTER sip:1.2.3.4 SIP/2.0.
> Via: SIP/2.0/UDP 192.168.123.150:50600;rport;branch=z9hG4bK906580090.
> From: <sip:sipwise1 at 172.17.10.50>;tag=1631756043.
> To: <sip:sipwise1 at 172.17.10.50>.
> Call-ID: 1235449552.
> CSeq: 4 REGISTER.
> Contact: <sip:sipwise1 at 192.168.123.150:50600;line=e779ddd40d3251b>.
> Authorization: Digest username="sipwise1", realm="172.17.10.50", 
> nonce="4a06e2820000000a80c173db2d166fedb7d8d1e933c97855", 
> uri="sip:1.2.3.4", response="de645a701a7c507c47a5278923bce54b", 
> algorithm=MD5.
> Max-Forwards: 70.
> User-Agent: Linphone/2.1.1 (eXosip2/3.1.0).
> Expires: 900.
> Content-Length: 0.
> 
> U 1.2.3.4:5060 -> 192.168.123.150:50600
> SIP/2.0 401 Unauthorized.
> Via: SIP/2.0/UDP 
> 192.168.123.150:50600;rport=50600;branch=z9hG4bK906580090;received=213.47.175.165.
> From: <sip:sipwise1 at 172.17.10.50>;tag=1631756043.
> To: <sip:sipwise1 at 172.17.10.50>;tag=a49efde55ae28efd11dc5969af09c5db.b607.
> Call-ID: 1235449552.
> CSeq: 4 REGISTER.
> WWW-Authenticate: Digest realm="172.17.10.50", 
> nonce="4a06e2820000000b2bd307dd3e71c80e3d6549ccc2b28269".
> Server: Sipwise registrar.
> Content-Length: 0.
> 
> So the only thing referring to the public Firewall IP is in the R-Uri of 
> the registration and in the Authorization-uri-token. Is this token also 
> used to calculate the auth hashes somehow?

Yes, the uri="" parameter is also used for calculation of the response. 
So, if this gets changed then there will be a problem.

Further, the proxy should compare the RURI with the uri="" parameter to 
detect man-in-the-middle attacks. AFAIK this is not done in the code, 
but needs to be done in the config.

regards
klaus

> Username looks fine in the Authorization header, and so does Realm. Any 
> ideas?
> 
> Andreas
> 
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users

More information about the sr-users mailing list